‘Ask a QSA’ received a number of queries recently, however the below question is something that we believe will resonate with quite a few of our clients. Seasoned QSA, Natasja Bolton stepped up to the challenge.
Does Payment Application Data Security Standard (PA-DSS) apply to payment applications provided as ‘Software as a Service’?
Natasja Bolton, Acquirer Support Manager
This question relates to dealings with merchants using cloud-hosted Software as a Service applications, such as Property Management Systems or Travel Booking Systems, which also allow the merchant to submit and authorise card payments.
The simple answer to the question ‘Does PA-DSS apply?’ is no, PA-DSS does not apply to payment applications provided as ‘Software as a Service’ (SaaS). However, the full answer is slightly more complicated as this position only applies where the application is offered only as SaaS and is not sold, distributed, or licensed to third parties.
Firstly, you need to understand whether the cloud-hosted applications is truly a web-based SaaS application or if it relies on a ‘client’ application locally installed on the merchant’s PC. We have seen CRM solutions that, while they do rely on a hosted SaaS application/database, also require the merchant to install local client application software to be able to interact with that SaaS solution.
If that local client application is handling cardholder data, as part of the process to authorise the card payment transaction, then as it is a commercial application ‘sold and distributed’ to the merchant it may be eligible for PA-DSS validation.
Similarly, the SaaS provider may offer the merchant a card payment module ‘plug-in’ that authorises the card payments and integrates those transactions back into the hosted SaaS application. Such a ‘plug-in’ or module would also be eligible for PA-DSS validation. If you determine that an application used by your merchant is eligible for PA-DSS you should encourage them to take this up with the software vendor.
In addition, if the company providing this hosted application is itself capturing, processing, transmitting (and possibly also storing) cardholder data on behalf of a merchant, they would need to be PCI DSS compliant in their own right, as a service provider. This is a scenario similar to an ecommerce platform provider that operates merchant direct integration ecommerce websites.
If the SaaS provider claims to be a validated PCI DSS compliant service provider, you should check that the SaaS services, including the payment card handing, payment page integration and authorisation routing, are included within the scope of their assessment.
This should be obvious from the list of services included in the assessment, listed in the Service Provider’s Attestation of Compliance, and from the descriptions provided in Part 2 of that AOC.
For more information please click here
If you are a merchant that requires technical or PCI DSS help, please click here